Frequently in computer systems, access to some resource, such as a network or files stored on the network, is restricted to authorized entities. For example, resources may be made available only to authorized users or from authorized devices. Accordingly, before access to a resource is provided, an entity seeking access may be authenticated.
Authentication may be performed according to a protocol that uses a set of credentials. As part of the protocol, a device may exchange credentials with some authentication mechanism that, if proper credentials are provided according to the protocol, can enable the device to access a resource. An authentication mechanism may be, for example, an access control server.
Many different types of authentication protocols are available, and each type may use different credentials or different types of credentials. To facilitate the exchange of credential information, authorization components in the software in both the device and the authentication mechanism may communicate. To account for the wide range of possible protocols, many computing devices incorporate an authentication framework that accepts methods, each of which, when invoked, can execute an authorization protocol. A widely used authentication framework is the Extensible Authentication Protocol (EAP).
EAP is an Internet Engineering Task Force (IETF) standard that provides a framework for network access clients and authentication servers to host plug-in modules, or EAP methods, for many authentication methods and technologies. EAP, which was originally created as an extension to Point-to-Point Protocol (PPP), is highly flexible and supports arbitrary network access authentication methods. EAP is used for IEEE 802.1x specification-based (enterprise) network access to authenticate network access server (NAS) devices such as Ethernet switches and wireless access points (AP). With EAP authentication protocols such as Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and MS-CHAP version 2 (MS-CHAPv2), a specific authentication mechanism is chosen during the link establishment phase. During the authentication phase, the negotiated authentication protocol allows the exchange of credential information.
The exact authentication scheme to be used is negotiated by the network access client and the authentication server (e.g., the Remote Authentication Dial-In User Service (RADIUS) server). A connecting client that associates with an access point cannot gain access to the network until the user performs a network logon. After association, the client and the authentication server may exchange EAP messages to perform mutual authentication, with the client verifying the authentication server credentials, and vice versa.
Currently, various EAP methods use different set of credentials to authenticate with the authentication server (e.g., a backend RADIUS server). Acquiring these credentials from the user or a device and using them for authentication is specific to each EAP method and is handled completely inside the EAP method.
Authentication may be performed in different forms, one of which is a Single Sign-on (SSO) that enables a user to authenticate once and gain access to one or more local machines, multiple network software systems, applications, and other resources.